[llvm-dev] LLDB security and the use of an IPC library

Demi Marie Obenour via llvm-dev llvm-dev at lists.llvm.org
Wed Apr 26 12:26:08 PDT 2017


LLDB currently uses a client-server architecture.  That appears fine,
but runs into an annoying security problem: other users on the same
machine can connect to the TCP socket and take over LLDB and thus the
user’s system.  This means that LLDB is useless in multiuser
enviromnents on Linux, such as academic computer labs.

The immediate problem can be solved by using either HMAC authentication
of all messages or by using Unix domain sockets.  However, it might be
simpler to use a 3rd party library for the purpose:
https://github.com/DemiMarie/SlipRock (Disclaimer: I wrote SlipRock).

Questions:

- Would you be interested in using SlipRock?

- What features would SlipRock need in order to be useful to you?  In
  particular, do you need an asynchronous API, or is synchronous fine?

- If not, would you be willing to accept patches to fix the existing
bug?

Sincerely,

Demi Obenour


More information about the llvm-dev mailing list